Article

High-throughput linked-pattern matching for intrusion detection systems

Authors:

Zachary K. Baker,

Viktor K. PrasannaAuthors Info & Claims

ANCS '05: Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems

Pages 193 - 202

https://doi.org/10.1145/1095890.1095918

Published: 26 October 2005 Publication History

Abstract

This paper presents a hardware architecture for highly efficient intrusion detection systems. In addition, a software tool for automatically generating the hardware is presented.Intrusion detection for network security is a compute-intensive application demanding high system performance. By moving both the string matching and the linking of multi-part rules to hardware, our architecture leaves the host system free for higher-level analysis. The tool automates the creation of efficient Field Programmable Gate Array architectures (FPGA). The generated hardware allows an FPGA-based system to perform deep-packet inspection of streams at up to 10 Gb/s line rates at a high level of area efficiency. Going beyond previous basic string-matching implementations that offer only single-string matching, the architecture provides support for rules requiring complex, linked (correlated-content) constructions. This allows most Snort content-linking extensions including `distance' and `within' bounding restrictions.

References

[1]

Zone labs internet security products. http://www.zonelabs.com.

[2]

Altera, Inc. http://www.altera.com.

[3]

Z. K. Baker and V. K. Prasanna. A Methodology for the Synthesis of Efficient Intrusion Detection Systems on FPGAs. In Proceedings of the Twelfth Annual IEEE Symposium on Field Programmable Custom Computing Machines 2004 (FCCM '04), 2004.

Digital Library

[4]

Z. K. Baker and V. K. Prasanna. Automatic Synthesis of Efficient Intrusion Detection Systems on FPGAs. In Proceedings of the 14th Annual International Converence on Field-Programmable Logic and Applications (FPL '04), 2004.

Digital Library

[5]

Z. K. Baker and V. K. Prasanna. Time and Area Efficient Pattern Matching on FPGAs. In The Twelfth Annual ACM International Symposium on Field-Programmable Gate Arrays (FPGA '04), 2004.

Digital Library

[6]

Y. Cho and W. H. Mangione-Smith. Deep Packet Filter with Dedicated Logic and Read Only Memories. In Proceedings of the Twelfth Annual IEEE Symposium on Field Programmable Custom Computing Machines 2004 (FCCM '04), 2004.

Digital Library

[7]

Y.H. Cho, S. Navab, and W.H. Mangione-Smith. Specialized Hardware for Deep Network Packet Filtering. In Proceedings of the Tenth ACM/SIGDA International Conference on Field-Programmable Logic and Applications (FPL '02), 2002.

Digital Library

[8]

C. R. Clark and D. E. Schimmel. Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns. In Proceedings of the Eleventh ACM/SIGDA International Conference on Field-Programmable Logic and Applications (FPL '03), 2003.

[9]

C. R. Clark and D. E. Schimmel. Scalable Parallel Pattern Matching on High Speed Networks. In Proceedings of the Twelfth Annual IEEE Symposium on Field Programmable Custom Computing Machines 2004 (FCCM '04), 2004.

Digital Library

[10]

D.E. Denning. An intrusion detection model. IEEE Transactions on Software Engineering, 13(2):222--232, Feb 1987.

Digital Library

[11]

S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. Lockwood. Implementation of a Deep Packet Inspection Circuit using Parallel Bloom Filters in Reconfigurable Hardware. In Proceedings of the Eleventh Annual IEEE Symposium on High Performance Interconnects (HOTi03), 2003.

[12]

M. Gokhale, D. Dubois, A. Dubois, M. Boorman, S. Poole, and V. Hogsett. Granidt: Towards Gigabit Rate Network Intrusion Detection. In Proceedings of the Eleventh Annual ACM/SIGDA International Conference on Field-Programmable Logic and Applications (FPL '03), 2002.

Digital Library

[13]

Hogwash Intrusion Detection System, 2004. http://hogwash.sourceforge.net/.

[14]

B. L. Hutchings, R. Franklin, and D. Carver. Assisting Network Intrusion Detection with Reconfigurable Hardware. In Proceedings of the Tenth Annual Field-Programmable Custom Computing Machines (FCCM '02), 2002.

Digital Library

[15]

K. Ilgun, R.A. Kemmerer, and P.A. Porras. Transition Analysis: A Rule-Based Intrusion Detection System. IEEE Transactions on Software Engineering, 21(3):181--199, March 1995.

Digital Library

[16]

P. James-Roxby, G. Brebner, and D. Bemmann. Time-Critical Software Deceleration in an FCCM. In Proceedings of the Twelfth Annual IEEE Symposium on Field Programmable Custom Computing Machines 2004 (FCCM '04), 2004.

Digital Library

[17]

G. Karypis, R. Aggarwal, K. Schloegel, V. Kumar, and S. Shekhar. METIS Family of Multilevel Partitioning Algorithms, 2004. http://www-users.cs.umn.edu/~karypis/metis/.

[18]

D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Security & Privacy Magazine, 1(4), July-Aug 2003.

Digital Library

[19]

D. Moore, C. Shannon, G.M. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-propagating Code. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2003), April 2003.

[20]

J. Moscola, J. Lockwood, R. P. Loui, and M. Pachos. Implementation of a Content-Scanning Module for an Internet Firewall. In Proceedings of the Eleventh Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM '03), 2003.

Digital Library

[21]

M. Qin and K. Hwang. Frequent Episode Rules for Internet Anomaly Detection. In Proceedings of the IEEE International Symposium on Network Computing and Applications (IEEE NCA'04), 2004.

Digital Library

[22]

R. Sidhu, A. Mei, and V. K. Prasanna. String Matching on Multicontext FPGAs using Self-Reconfiguration. In Proceedings of the Seventh Annual ACM/SIGDA International Symposium on Field Programmable Gate Arrays (FPGA '99), 1999.

Digital Library

[23]

R. Sidhu and V. K. Prasanna. Fast Regular Expression Matching using FPGAs. In Proceedings of the Ninth Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM '01), 2001.

Digital Library

[24]

Sourcefire. Snort: The Open Source Network Intrusion Detection System. http://www.snort.org, 2003.

[25]

I. Sourdis and D. Pnevmatikatos. Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System. In Proceedings of the Eleventh Annual ACM/SIGDA International Conference on Field-Programmable Logic and Applications (FPL '03), 2003.

[26]

I. Sourdis and D. Pnevmatikatos. A Methodology for the Synthesis of Efficient Intrusion Detection Systems on FPGAs. In Proceedings of the Twelfth Annual IEEE Symposium on Field Programmable Custom Computing Machines 2004 (FCCM '04), 2004.

Digital Library

[27]

P. Suaris, L. Liu, Y. Ding, and N. Chou. Incremental Physical Resynthesis for Timing Optimization. In The Twelfth Annual ACM International Symposium on Field-Programmable Gate Arrays (FPGA '04), 2004.

Digital Library

[28]

Agilent Technologies. Mixed Packet Size Throughput. http://advanced.comms.agilent.com/n2x/docs/insight/2001-08/TestingTips/1MxdPktSzThroughput.pdf, 2005.

[29]

The Xilinx Corporation. ML-300 Development Board. http://www.xilinx.com/ml300, 2004.

[30]

The Xilinx Corporation. Virtex II Pro Series FPGA Devices. http://www.xilinx.com/xlnx/xil_prodcat_landingpage.jsp?title=Virtex-II+Pro+FPGAs, 2004.

[31]

Xilinx, Inc. http://www.xilinx.com.

[32]

F. Yu, R.H. Katz, and T.V. Lakshman. Gigabit Rate Packet Pattern-Matching Using TCAM. In Proceedings of the Twelfth IEEE International Conference on Network Protocols (ICNP), 2004.

Digital Library

Cited By

Sismis LKorenek J(2023)Analysis of TLS Prefiltering for IDS AccelerationPassive and Active Measurement10.1007/978-3-031-28486-1_5(85-109)Online publication date: 21-Mar-2023
https://dl.acm.org/doi/10.1007/978-3-031-28486-1_5
Panda SFeng YKulkarni SRamakrishnan KDuffield NBhuyan LCarle GOtt J(2021)SmartWatchProceedings of the 17th International Conference on emerging Networking EXperiments and Technologies10.1145/3485983.3494861(60-75)Online publication date: 2-Dec-2021
https://dl.acm.org/doi/10.1145/3485983.3494861
Wang CGong LLei SFang HLi XWang AZhou X(2021)GenSeq+: A Scalable High-Performance Accelerator for Genome SequencingIEEE/ACM Transactions on Computational Biology and Bioinformatics10.1109/TCBB.2019.294705918:4(1512-1523)Online publication date: 1-Jul-2021
https://doi.org/10.1109/TCBB.2019.2947059
Show More Cited By

Index Terms

High-throughput linked-pattern matching for intrusion detection systems
1. Computer systems organization
  1. Embedded and cyber-physical systems
  2. Real-time systems

Recommendations

Pipelined Architecture for Multi-String Matching

We present a pipelined approach to hardware implementation of the Aho-Corasick (AC) algorithm for string matching called P-AC. By incorporating pipelined processing, the state graph is reduced to a character trie that only contains forward edges. Edge ...
A computationally efficient engine for flexible intrusion detection

Pattern matching for network security and intrusion detection demands exceptionally high performance. This paper describes a novel systolic array-based string matching architecture using a buffered, two-comparator variation of the Knuth-Morris-Pratt (...
FPGA based string matching for network processing applications

String matching is a key problem in many network processing applications. Current implementations of this process using software are time consuming and cannot meet gigabit bandwidth requirements. Implementing this process in hardware improves the search ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ANCS '05: Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems

October 2005

230 pages

ISBN:1595930825

DOI:10.1145/1095890

General Chair:
Alan Berenbaum
SMSC
,
Program Chairs:
Kai Li
Princeton University, Princeton, NJ
,
Jonathan Turner
Washington University in St. Louis

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 October 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ANCS05

Sponsor:

ANCS05: Symposium on Architecture for Networking and Communications Systems 2005

October 26 - 28, 2005

NJ, Princeton, USA

Acceptance Rates

Overall Acceptance Rate 88 of 314 submissions, 28%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
1,113
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)1

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sismis LKorenek J(2023)Analysis of TLS Prefiltering for IDS AccelerationPassive and Active Measurement10.1007/978-3-031-28486-1_5(85-109)Online publication date: 21-Mar-2023
https://dl.acm.org/doi/10.1007/978-3-031-28486-1_5
Panda SFeng YKulkarni SRamakrishnan KDuffield NBhuyan LCarle GOtt J(2021)SmartWatchProceedings of the 17th International Conference on emerging Networking EXperiments and Technologies10.1145/3485983.3494861(60-75)Online publication date: 2-Dec-2021
https://dl.acm.org/doi/10.1145/3485983.3494861
Wang CGong LLei SFang HLi XWang AZhou X(2021)GenSeq+: A Scalable High-Performance Accelerator for Genome SequencingIEEE/ACM Transactions on Computational Biology and Bioinformatics10.1109/TCBB.2019.294705918:4(1512-1523)Online publication date: 1-Jul-2021
https://doi.org/10.1109/TCBB.2019.2947059
Zhao ZSadok HAtre NHoe JSekar VSherry JLu SHowell J(2020)Achieving 100Gbps intrusion prevention on a single serverProceedings of the 14th USENIX Conference on Operating Systems Design and Implementation10.5555/3488766.3488827(1083-1100)Online publication date: 4-Nov-2020
https://dl.acm.org/doi/10.5555/3488766.3488827
Ruiz-Rosero JRamirez-Gonzalez GKhanna R(2019)Field Programmable Gate Array Applications—A Scientometric ReviewComputation10.3390/computation70400637:4(63)Online publication date: 11-Nov-2019
https://doi.org/10.3390/computation7040063
Suresh PSukumar RAyyasamy S(2019)Efficient pattern matching algorithm for security and Binary Search Tree (BST) based memory system in Wireless Intrusion Detection System (WIDS)Computer Communications10.1016/j.comcom.2019.11.035Online publication date: Nov-2019
https://doi.org/10.1016/j.comcom.2019.11.035
Rouget PBadrignans BBenoit PTorres L(2018)FPGA Implementation of Pattern Matching for Industrial Control Systems2018 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW)10.1109/IPDPSW.2018.00040(210-213)Online publication date: May-2018
https://doi.org/10.1109/IPDPSW.2018.00040
Lei SWang CFang HLi XZhou X(2016)SCADIS: A Scalable Accelerator for Data-Intensive String Set Matching on FPGAs2016 IEEE Trustcom/BigDataSE/ISPA10.1109/TrustCom.2016.0193(1190-1197)Online publication date: Aug-2016
https://doi.org/10.1109/TrustCom.2016.0193
Hieu TThinh T(2014)mDFAWireless Personal Communications: An International Journal10.1007/s11277-014-2047-x78:4(1833-1847)Online publication date: 1-Oct-2014
https://dl.acm.org/doi/10.1007/s11277-014-2047-x
Jiang HZhang GXie GSalamatian KMathy LNajjar WYavatkar RRixner S(2013)Scalable high-performance parallel design for network intrusion detection systems on many-core processorsProceedings of the ninth ACM/IEEE symposium on Architectures for networking and communications systems10.5555/2537857.2537883(137-146)Online publication date: 21-Oct-2013
https://dl.acm.org/doi/10.5555/2537857.2537883
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten